CVE CyberSecurity Database News

CVE-2023-47757 - How a CSRF and Missing Authorization Bug in the AWeber WordPress Plugin Lets Attackers Exploit Your Site

Poster -

*Published: June 2024 — By: WordSecWrite*


WordPress plugins are great for extending your website’s features, but they can open big security holes if not carefully coded. CVE-2023-47757 demonstrates just that—a combination of *missing authorization* and *Cross-Site Request Forgery (CSRF)* in the popular AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth. Let’s break down what went wrong, how attackers can exploit this, and how you can protect your site.

What is CVE-2023-47757?

CVE-2023-47757 is a security issue in the AWeber plugin for WordPress affecting versions up to 7.3.9 (and possibly earlier, as n/a through 7.3.9 is given by researchers). It arises because:

- The plugin does not properly check authorization before granting access to certain functions (Missing Authorization/Missing Access Controls).
- It is vulnerable to CSRF, meaning that a malicious website can trick a logged-in WordPress administrator into performing unwanted actions.

Original Reference:
- WPScan Advisory
- NVD Entry

Both Missing Authorization and CSRF combine to create a dangerous situation

- Missing Authorization: Critical plugin features can be accessed by anyone who sends the right request, regardless of whether they're supposed to have access.
- CSRF: Logged-in users’ browsers can be tricked via malicious webpages/emails into sending these sensitive requests.

Real-World Example: What Could Go Wrong?

Suppose the plugin exposes an AJAX endpoint like admin-ajax.php?action=aweber_delete_form to manage or delete forms.

If the code looks like this

add_action('wp_ajax_aweber_delete_form', 'aweber_delete_form_function');

function aweber_delete_form_function() {
    // Missing: if(!current_user_can('manage_options')) { wp_die('Unauthorized'); }

    $form_id = $_POST['form_id'];
    aweber_delete_form_by_id($form_id);
    echo json_encode(['status' => 'Form deleted']);
    wp_die();
}

What’s missing?
There’s no check that the user has permission (manage_options) or similar. Anyone who can send the request can delete a form!

Find a vulnerable site running the AWeber plugin ≤ 7.3.9.

2. Craft a malicious page/email that, when visited by an admin, silently makes a POST request to delete a form.

Example Exploit (CSRF via HTML form)

<form id="csrfPwn" action="https://victimsite.com/wp-admin/admin-ajax.php?action=aweber_delete_form"; method="POST">
  <input type="hidden" name="form_id" value="1234">
</form>
<script>document.getElementById('csrfPwn').submit();</script>

If an _administrator_ of the target site is logged in to their dashboard and visits the attacker’s page, the browser sends the request with administrator cookies, and the form is deleted.

Why It Works

- No CSRF token / nonce check.
- No user capability check (so anyone logged in—potentially even non-admins, depending on plugin handling).

Delete, modify, or extract plugin data.

- Potentially chain attacks to gain more access or disrupt newsletter and lead generation functionality.

Mitigation: Protect Your Site

AWeber has reportedly fixed the issue in newer versions. If you’re using 7.3.9 or lower, update now!

A secure handler should always check for

function aweber_delete_form_function() {
    if ( ! current_user_can('manage_options') ) {
        wp_send_json_error('Unauthorized', 401);
        return;
    }
    check_admin_referer('aweber_delete_form_action');

    $form_id = $_POST['form_id'];
    aweber_delete_form_by_id($form_id);
    wp_send_json_success('Form deleted');
}

What Should Site Owners Do?

- Update the AWeber plugin to the latest version.
- Regularly review plugin vulnerability alerts (e.g., via WPScan).

References

- WPScan vulnerability report
- National Vulnerability Database
- AWeber WordPress plugin page


Summary:
With CVE-2023-47757, attackers could exploit missing authorization and CSRF bugs in the AWeber plugin, leading to unwanted form deletions or worse, just by luring an admin to a malicious page. If you use this plugin, update it right away. Security isn’t set-and-forget—always keep your defenses sharp!

Timeline

Published on: 11/17/2023 09:15:23 UTC
Last modified on: 11/25/2023 02:14:53 UTC